CVE-2018-3825

EPSS 0.13%
Veröffentlicht 19.09.2018 19:29:00
Zuletzt bearbeitet 21.11.2024 04:06:06
Quelle bressers@elastic.co
Teams Watchlist Login
Unerledigt Login

In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Elastic ≫ Elastic Cloud Enterprise Version < 1.1.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.291

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

https://www.elastic.co/community/security

Vendor Advisory

https://discuss.elastic.co/t/elastic-cloud-enterprise-1-1-4-security-update/135778

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-3825

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-3825

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-3825

EUVD